Call on Ken

Example: Is this REALLY Natwest?

Looking at the message which arrived it said it came from "support@natwest.com" and it had a subject line of "NatWest Bank Security Update" and what the email said was...

Dear Valued Customer,

- Our new security system will help you to avoid frequently fraud transactions and to keep your investments in safety.

- Due to technical update we recommend you to reactivate your account.

Click on the link below to login and begin using your updated NatWest account.

To log into your account, please visit the NatWest Online Banking https://www.nwolb.com/

If you have questions about your online statement, please send us a Bank Mail or call us at 0846 600 2323 (outside the UK dial +44 247 686 2063).

We appreciate your business. It's truly our pleasure to serve you.

NatWest Customer Care

This email is for notification only. To contact us, please log into your account and send a Bank Mail.

Clues

Looking at the headers of the email revealed quite a different story and what is showed was (amongst other things)...

...
Return-path: <biu0@hotmail.com>
...
From: support@natwest.com
...
Reply-To: support@natwest.com

So while is appears to come from natwest.com and even has that as the "Reply To" address, the return path is quite different.

Another thing particularly to note is the language that was used. Note the phrases "will help you to avoid frequently fraud transactions", "Due to technical update we recommend you to reactivate your account". Both these suggest that English is not the writer's first language!

Note also the continual urging you to log in to "your account" on their website. It is by luring you to their site that they can then persuade you to part with valuable information!

More Natwest!

Recently (Spring 2008) there seem to have been even more fake (spam) emails saying they are coming from Natwest and the following subject lines (or something like them) have all been noticed

In all cases the emails contained links which were quite clearly NOT Natwest (and some of them even contain viruses). Hovering the mouse over the link shows the following REAL addresses in the status bar...

http://nwolb.com.606076a398.com/...
http://www.nwolb.tareas-ya.com/...
http://natwest.co.uk.vatiantee.hi.cn/...
http://natwest.com.thevatiantee.com/...

The fact that these links contain the text 'natwest' or 'nwolb', doesn't mean it has anything to do with them! The addresses start from the OTHER end so the first one is 606076a398.com and the second is tareas-ya.com and so on. The rest of the address is just the directory structure within that website.

There could equally well be a link
http://natwest-online.callonken.co.uk --- but that wouldn't make it a Natwest link; it's still on the CallOnKen website!

Fake
NatWest